[mapserver-dev] Motion: Updating the security reporting and workflow process
Jeff McKenna
jmckenna at gatewaygeomatics.com
Fri Feb 28 09:53:11 PST 2020
So in summary the workflow would be:
1. user sends message to mapserver-security@
2. PSC members review and open private ticket if necessary
3. once fix is available, inform all projects of the vulnerability
through a message sent to security-priv@ list
-jeff
On 2020-02-28 1:49 p.m., Jeff McKenna wrote:
> GeoServer leverages a 'geoserver-security@' list for their PSC security
> discussions, similar to the MapServer alias (this was my logic in
> implementing the new alias). -jeff
>
>
>
> On 2020-02-28 1:47 p.m., Jeff McKenna wrote:
>> Yes in fact it was me who set that up for all projects , but the new
>> alias is specific to MapServer PSC (that was my logic for both). -jeff
>>
>>
>>
>> On 2020-02-28 1:44 p.m., Angelos Tzotsos wrote:
>>> There is also the
>>> https://lists.osgeo.org/mailman/listinfo/security-priv mailing list
>>> to report this kind of issues, it has worked ok in the past.
>>>
>>> On 2/28/20 6:36 PM, Jeff McKenna wrote:
>>>> There is now a new alias that users can send an initial report to,
>>>> that forwards to all PSC members: mapserver-security (at) osgeo
>>>> (dot) org
>>>>
>>>> SteveL has also setup a private 'mapserver-private' repository on
>>>> Github, to handle valid security reports, privately.
>>>>
>>>> So therefore:
>>>>
>>>> Motion: update documentation
>>>> (https://mapserver.org/development/bugs.html) to list the steps to
>>>> report a security concern, mentioning the first step of sending
>>>> report to mapserver-security (at), and second step of a PSC member
>>>> creating a ticket in the 'mapserver-private' repository.
>>>>
>>>> +1
>>>>
>>>> -jeff
>>>>
>>>>
>>>>
>>>> If approved I volunteer to update docs now.
>>>>
>>>>
>>>> _______________________________________________
>>>> mapserver-dev mailing list
>>>> mapserver-dev at lists.osgeo.org
>>>> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>>>
>>>
>>
>>
>
>
--
Jeff McKenna
MapServer Consulting and Training Services
https://gatewaygeomatics.com/
More information about the mapserver-dev
mailing list